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A disgruntled Conti affiliate has leaked the gang's training material when conducting 
attacks, including information about one of the ransomware's operators. 


The Conti Ransomware operation is run as a ransomware-as-a-service (RaaS), where the 
core team manages the malware and Tor sites, while recruited affiliates perform network 
breaches and encrypt devices. 


As part of this arrangement, the core team earns 20-30% of a ransom payment, while the 
affiliates earn the rest. 


Today, a security researcher shared a forum post created by an angry Conti affiliate who 
publicly leaked information about the ransomware operation. This information includes the 
IP addresses for Cobalt Strike C2 servers and a 113 MB archive containing numerous tools 
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and training material for conducting ransomware attacks. 


Today at 07:07 a < N #3 


AVATAR 


Dumb divorce, not work. They recruit pentesters, of course ... They recruit guys to test Active Directory networks, they use 
the Locker - Conti. | merge you their ip-address of cobalt servers and type of training materials. 1500 $ yes, of course, they 
recruit suckers and divide the money among themselves, and the boys are fed with what they will let them know when the 
victim pays. The admin in the chat was , his toad was i PPO, . Know the fag in the face! | have 
already sent the data to where | need it, so let it change the server data and everything else. And for hard workers resets all 
training materials =) 

the All good 

their chat in the Torah - — r s peee .onion 

Anyone who dials on the type of job Pentesterov BGG- F his toad - 


HDD-drive 
User 
04/29/2020 
36 
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Forum post from disgruntled affiliate 

The affiliate said they posted the material as he was only paid $1,500 as part of an attack, 
while the rest of the team are making millions and promising big payouts after a victim pays 
a ransom. 


"| merge you their ip-address of cobalt servers and type of training materials. 1500 $ yes, of 
course, they recruit suckers and divide the money among themselves, and the boys are fed 
with what they will let them know when the victim pays," the affiliate posted to a popular 
Russian-speaking hacking forum. 


Attached to the above post are images of Cobalt Strike beacon configurations that contain 
the IP addresses for command and control servers used by the ransomware gang. 


In a tweet by security researcher Pancak3, it is advised that everyone block those IP 
addresses to prevent attacks from the group. 


go block these 
162.244.80.235 
85.93.88.165 
185.141.63.120 
82.118.21.1 


— pancak3 (@pancak3lullz) August 5, 2021 


In a subsequent post, the affiliate shared an archive containing 111 MB of files, including 
hacking tools, manuals written in Russian, training material, and help documents that are 
allegedly provided to affiliates when performing Conti ransomware attacks. 


A security researcher shared a screenshot of this extracted folder with BleepingComputer. 
We were told it contains a manual on deploying Cobalt Strike, mimikatz to dump NTLM 
hashes, and numerous other text files filled with various commands. 
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Name 


B 3#AV7z 

B ad_users.txt 

B CS4.3_Clean ahsh4veaQu .7z 
B DAMP NTDS.txt 

D domains.txt 

B enhancement-chain.7z 

B Kerber-ATTACK.rar 

B NetScan.txt 

B p.bat 

B PENTEST SQL.txt 

a ProxifierPE.zip 

B RDP NGROK.txt 

# RMM_Client.exe 

B Routerscan.7z 

D RouterScan.txt 

B SQL DAMP.txt 

La Annnachi gna mcoò.rar 

B AHOHMMHOCT» ANA NapaHonKkos.txt 
B OAMNLSASS.txt 


D Ecnn Heo6xogumo orcka...10 CeTKy OfHMM NNCTOM.txt 
D 3axpen AnyDesk.txt 

D 3amenseom sorted andunpepa.txt 

D KAK DENATb NUH (CETV).txt 


D KAK UV KAKYIO VHOY KAYATb.txt 

D KAK MPbIrATb NO CECC...OMOLUbIO NEANOAL.txt 
B JinyHaa Gesonacuoctp.txt 

BD Manyan po6ora c AD DC.txt 

D MAHYAS..txt 


Leaked Conti training materials 
Advanced Intel's Vitali Kremez, who had already analyzed the archive, told 
BleepingCompter that the training material matches active Conti cases. 


"We can confirm based on our active cases. This playbook matches the active cases for 
Conti as we see right now," Kremez told BleepingComputer in a conversation. 


"By and large, it is the holy grail of the pentester operation behind the Conti ransomware 
"pentester" team from A-Z. The implications are huge and allow new pentester ransomware 
operators to level up their pentester skills for ransomware step by step." 


"The leak also shows the maturity of their ransomware organization and how sophisticated, 
meticulous and experienced they are while targeting corporations worldwide." 


"It also provides a plethora detection opportunities including the group focus on AnyDesk 
persistence and Atera security software agent persistence to survive detections." 


This leak illustrates the vulnerability of ransomware-as-a-service operations, as a singly 
unhappy affiliate could lead to the exposure of carefully cultivated information and 
resources used in attacks. 
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Recently the United States government announced that its Rewards for Justice program is 
now accepting tips on foreign malicious cyberactivity against U.S. critical infrastructure, with 
a potential $10 million reward for helpful information. 


Additionally, rewards through this program may be done anonymously in cryptocurrency, 
which could incentivize low-paid affiliates to turn on other cybercriminals. 


Update 8/6/21: A source told BleepingComputer that Conti banned the pentester after 
learning he was poaching business away from their operation by promoting a different 
unidentified affiliate program. 


After being banned, the affiliate leaked Conti's training material and tools as revenge. 
Related Articles: 
The Week in Ransomware - May 20th 2022 - Another one bites the dust 


Conti ransomware shuts down operation, rebrands into smaller units 


The Week in Ransomware - May 13th 2022 - A National Emergency 
Costa Rica declares national emergency after Conti ransomware attacks 
US offers $15 million reward for info on Conti ransomware gang 
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xrobwx71 - 9 months ago 


O 
(0) 
Good info. Thanks, Grinler! 
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